The continuing spread of the epidemic and the transformation of digital cloud have brought many new challenges to network security: increased attack surface, IT complexity, shadowing and so on. In 2018, Gartner urged security leaders to start reducing, monitoring, and managing their attack surfaces as part of an overall cybersecurity risk management plan. Today, attack surface management is becoming a top priority for CIOs, Ctos, CISO, and security teams.

What is the attack plane?

Your attack surface is all the hardware, software, SaaS, and cloud assets that can be accessed over the Internet to process or store your data. It can also be viewed as the total number of attack vectors that cybercriminals can use to manipulate networks or systems to extract data. Your attack surfaces include:

◼ Known assets: inventory and managed assets, such as your company website, servers, and dependencies that run on them;

◼ Unknown assets: such as shadow IT or isolated IT infrastructure that is beyond the purview of your security team, such as forgotten development or marketing sites;

◼ Rogue assets: Malicious infrastructure initiated by threat actors, such as malware, cybersquatting, or websites or mobile applications that impersonate your domain name, etc.

◼ vendor: Your attack surface is not limited to your organization, third-party and fourth party vendors introduce significant third-party and fourth party risks as well. Even small suppliers can cause large data breaches, such as the HVAC supplier that ultimately led Target to leak the credit card and personal data of more than 110 million consumers.

Unfortunately, millions of these assets appear on the Internet every day and are completely outside the scope of firewall and endpoint protection services. The attack surface is sometimes called the external attack surface or the digital attack surface.

What is Attack surface management?

Attack Surface Management (ASM) is the continuous discovery, inventory, sorting, prioritization, and security monitoring of external digital assets that store, transfer, or process sensitive data.

Attack surface management is important because it helps prevent and mitigate risks stemming from:

◼ Legacy, iot and shadow IT assets;

◼ human error and negligence such as phishing and data breaches;

◼ vulnerable and outdated software;

◼ Unknown Open-source software (OSS);

◼ targeted cyber attacks against your organization;

◼ Massive attacks on your industry;

◼ intellectual property infringement;

◼ IT assets inherited from m&a activities;

◼ Supplier management assets;

Timely identification of digital assets is an essential component of robust threat intelligence that can significantly reduce the risk of data breaches. Know that all an attacker needs to launch a cyber attack is a weak link in your organization.

Best practices for attack surface management

The proliferation of cloud computing solutions, remote and work-at-home systems, and connected devices will undoubtedly create a larger attack surface, further increasing security risks. The best way to reduce the number of vulnerabilities is to establish an appropriate enterprise attack surface management program.

Proper and effective attack surface management requires analysis of operations to discover potential vulnerabilities and understand the situation. This information helps the organization plan, but success depends on how the plan is executed across the organization’s network, systems, channels, and touchpoints.

Here are some best practices to consider when building an enterprise attack surface manager to minimize vulnerabilities and reduce the chances that threat actors will compromise your organization’s networks and devices by following the recommendations below.

1. Draw the attack surface

To deploy proper defenses, you must understand what digital assets are exposed, where attackers are most likely to penetrate the network, and what protections need to be deployed. Therefore, it is important to improve the visibility of the attack surface and build a robust representation of attack vulnerabilities. The types of vulnerabilities to look for include older, less secure computers or servers, unpatched systems, outdated applications, and exposed Internet of Things devices.

Predictive modeling helps to create realistic descriptions of likely events and their risks, further strengthening defenses and proactive measures. Once you understand the risk, you can model what happens before, during, and after the event or violation. What kind of economic loss can you expect? How much damage will it do to a company’s reputation? Will you lose business intelligence, trade secrets or more?

John Pescatore, head of emerging security trends at SANS, said:

The strategy for successful attack surface mapping is simple: know what you want to protect (an exact list of assets); Monitor these assets for vulnerabilities; And use threat intelligence to understand how attackers can exploit these vulnerabilities to attack these assets. Each of these three phases requires staffing with skilled security technology to keep up with the pace of change in all three areas.

2. Minimize vulnerabilities

Once organizations have mapped their attack surface, they can take immediate action to mitigate the risks posed by the most important vulnerabilities and potential attack vectors before moving on to lower-priority tasks. Taking assets offline where possible and strengthening internal and external networks are two key areas to focus on.

Today, most web platform vendors in the market offer tools to help minimize the attack surface. For example, Microsoft’s Attack Surface Reduction (ASR) rule can help users block processes and executables commonly used by attackers.

It’s worth noting, though, that most violations are caused by human error. Therefore, security awareness and training for employees is another key aspect of reducing vulnerabilities. What policies do you have in place to help them master personal and work security? Do they understand what they need to do? What safety practices should they use? And how would it affect them and the business as a whole?

Not all bugs need to be fixed, and some will persist anyway. A credible cybersecurity strategy needs to include ways to identify the most relevant sources and pick out those that are more likely to be exploited. These are vulnerabilities that should be mitigated and monitored.

Today, most businesses allow more access than employees and contractors need. Enforcing the minimum access principle ensures that even if an account is compromised, there will be no disruption or significant damage. Organizations can start by analyzing access to critical systems and then limit access to each person and device to the assets they absolutely need.

3. Establish strong safety practices and policies

Strictly following some time-tested best security practices will greatly reduce your attack surface. This includes implementing intrusion detection solutions, conducting regular risk assessments, and developing clear and effective policies. Here are some things to consider:

◼ healthy account management with strong authentication protocols and access controls;

◼ Establish a consistent patch and update strategy;

◼ Maintain and test critical data backup;

◼ segment your network to minimize damage when it does occur;

◼ Monitoring and phasing out old equipment, machinery and services;

◼ use encryption wherever feasible;

◼ establish or limit your BYOD policies and programs;

4. Establish security monitoring and testing protocols

As IT infrastructure changes and threat actors evolve, strong cybersecurity programs also need to be constantly adapted. This requires continuous monitoring and periodic testing, which can often be achieved through third-party penetration testing services.

Monitoring is usually done through automated systems, such as security information and Event Management software (SIEM). It collects log data generated by host systems and applications to network and security devices, such as firewalls and antivirus filters, where SIEM software identifies, classifies, and analyzes events.

Penetration testing can provide unbiased third-party feedback to help you better understand vulnerabilities. During this process, penetration testers conduct simulated attacks aimed at revealing critical vulnerabilities. The testing should cover core elements of the enterprise network and BYOD as well as third-party equipment that the vendor is using. Remember, mobile devices account for about 60 percent of enterprise data interactions.

5. Strengthen your email system

Phishing is a common way for attackers to break into your network. However, some organizations have yet to fully deploy email protocols designed to limit the number of malicious emails employees receive. These agreements include:

◼ Sender Policy Framework (SPF) prevents spoofing of legitimate E-mail return addresses;

◼ Domain key recognition message (DKIM) ensures that the target E-mail system trusts outbound messages sent from the custom domain;

◼ Domain-based message Authentication, Reporting, and Consistency (DMARC) allows you to set rules on how to handle failed or spoofing emails identified by SPF or DKIM;

Most companies do not get all their deals done, but Aetna, an international health insurer, does. It has also helped the company reduce software bugs and reduce time to market.

6. Understand compliance

All organizations should have policies and procedures in place to research, identify, and understand internal and government standards. The goal is to ensure that all security policies are compliant and that appropriate response plans are in place for all types of attacks and breaches.

This may require the establishment of a working group and strategy to review new policies and regulations as they enter into force. There’s no doubt that compliance is important to modern cybersecurity strategies, but that doesn’t necessarily mean it should be a priority. According to Pescatore:

Compliance often comes first, but almost 100% of companies with credit card breaches are PCI compliant. However, they are not safe. He argues that a cybersecurity strategy should first assess risk and deploy processes or controls to protect the company and its customers. The business should then produce documents required for various compliance regimes, such as HIPAA or PCI, to show how your policies are compliant.

7. Hire auditors

Even the best security teams sometimes need a fresh perspective when evaluating the enterprise attack surface. Hiring security auditors and analysts can help you spot attack vectors and vulnerabilities that might otherwise go unnoticed.

They can also assist in developing incident management plans to deal with potential breaches and attacks. Too many organizations are unprepared for cyber security attacks because they lack counterweights to gauge whether their policies are flawed.

Jason Mitchell, chief technology officer of Smart Billions, said:

When trying to objectively identify security risks, it can be very beneficial to have an outside, unbiased view. Use independent monitoring processes to help identify risky behavior and threats before they become problems at endpoints, especially with new digital assets, new vendors, and remote employees.

Leading attack surface management enterprise

1. UpGuard

UpGuard BreachSight monitors more than 70 security controls across an organization, provides simple, easy-to-understand network security ratings, and automatically detects compromised credentials and data in S3 buckets, Rsync servers, GitHub repositories, and more.

For the evaluation of supplier information security control, UpGuard Vendor Risk can minimize the time for organizations to evaluate related and third-party information security control by automating supplier questionnaire surveys and providing supplier questionnaire templates.

The main difference between UpGuard and other vendors is that they have very authoritative expertise in preventing data breaches. This can be confirmed in publications such as The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.

2. Expanse

SAN Francisco-based Expanse, founded in 2012, is an attack surface management security startup developing solutions designed to monitor the attack surface for risk assessment and threat mitigation. Expanse, for example, provides enterprises with the capability to scan exposed servers on the entire Internet and analyze outbound behavior to detect breaches.

The Expanse solutions platform includes a dashboard for discovering and monitoring Internet assets, software for monitoring suspicious network activity and analyzing traffic patterns, as well as a series of apis and tools for integrating with existing IT infrastructure. The Expanse data provide, so to speak, an external perspective on the enterprise and represent the landscape of attackers seeking vulnerabilities.

Expanse in November 2020, Palo Alto acquired Expanse for $800 million, and co-founders Tim Junio and Matt Kraning joined the Palo Alto Networks team after the offer was closed.

Expanse has secured $136 million in funding to date. Previous investors include TPG, IVP and New Enterprise Associates.

3. RiskIQ

RiskIQ is the leader in digital threat management, providing the most comprehensive detection, intelligence and mitigation of threats associated with an organization’s digital presence. RiskIQ enables enterprises to gain unified insight and control over the web, social media and mobile devices. Its platform combines advanced Internet data reconnaissance and analysis capabilities to accelerate investigations, understand the attack surface, assess risk, and take action against digital threats. With RiskIQ Community Edition, all security analysts have free access to their solutions in a collaborative online environment for organized network defense.

** Elevate Security is the leader in human attack surface management and was founded in 2017 by two former Salesforce Security executives. In May 2021, Elevate Security launched a breakthrough new platform that addresses one of cybersecurity’s biggest challenges — human error — with intelligent, customized and automated responses to employee risk across the organization.

The Elevate Security platform provides an intelligent, customized and automated platform that captures an organization’s entire Security data to achieve baseline visibility of human risk, enabling customers to proactively customize Security controls and create a “safety net” around their most at-risk employees.

With insights and controls from the Elevate Security platform, CISO is better positioned to support high-growth initiatives within the enterprise while protecting and defending against human attack surfaces.

5. Censys

Censys, a leading provider of continuous attack surface management, was founded in 2013 in Ann Arbor, Michigan to provide organizations with the world’s most comprehensive real-time view of global networks and devices.

In 2020, Censys developed a new scanning engine that can see 44 percent more of the Internet than any other cybersecurity company. The new architecture provides quick and actionable discovery, enumeration of risks and remediation recommendations for Censys attack surface management clients to prevent attackers and violations.

FireEye, Google, NATO, the Swiss Armed Forces, the U.S. Department of Homeland Security and more than 25% of Fortune 500 companies rely on the company’s Internet-wide continuous visibility platform to detect and prevent cyber security threats. Censys was also named “Cyber Defender of the Year 2019” by CB Insights for its groundbreaking technology that has the potential to transform the cybersecurity industry.